Escape '%' in arguments to Thread:d.

A user reported this crash when scanning a target whose name contained the '%' character: NSE: Script Engine Scan Aborted. An error was thrown by the engine: nse_main.lua:322: invalid capture index stack traceback: [C]: in function 'gsub' nse_main.lua:322: in function 'd' nse_main.lua:377: in function 'start' nse_main.lua:912: in function 'run' nse_main.lua:1390: in function <nse_main.lua:1293> [C]: in ? I'm not sure how a name with '%' got resolved, but I was able to reproduce the crash by adding this line to /etc/hosts: 127.0.0.1 a%40b and then running ./nmap --script=banner a%40b -d --top-ports 5 The gsub function recognizes "%d", where d is a digit, as a capture index. The constructed string is then passed to print_debug, which is like printf. Therefore we escape every occurrence of "%" twice, to get "%%%%".
2025-12-27 09:59:04 +00:00 · 2014-01-27 22:56:29 +00:00
parent 1d9fa6bea2
commit d6288c5280
1 changed files with 8 additions and 4 deletions
--- a/nse_main.lua
+++ b/nse_main.lua
@@ -315,12 +315,16 @@ do
  -- Changes "%THREAD" with an appropriate identifier for the debug level
  function Thread:d (fmt, ...)
    local against = against_name(self.host, self.port);
+    local function replace(fmt, pattern, repl)
+      -- Escape each % twice: once for gsub, and once for print_debug.
+      return gsub(fmt, pattern, gsub(repl, "%%", "%%%%%%%%"));
+    end
    if debugging() > 1 then
-      fmt = gsub(fmt, "%%THREAD_AGAINST", self.info..against);
-      fmt = gsub(fmt, "%%THREAD", self.info);
+      fmt = replace(fmt, "%%THREAD_AGAINST", self.info..against);
+      fmt = replace(fmt, "%%THREAD", self.info);
    else
-      fmt = gsub(fmt, "%%THREAD_AGAINST", self.short_basename..against);
-      fmt = gsub(fmt, "%%THREAD", self.short_basename);
+      fmt = replace(fmt, "%%THREAD_AGAINST", self.short_basename..against);
+      fmt = replace(fmt, "%%THREAD", self.short_basename);
    end
    print_debug(1, fmt, ...);
  end